0
Developing a simple application, some code analysis tools gave me the following warning :
Consider possible security implications Associated with call module.
For that particular code snippet : from subprocess import call, and further down this stretch also call ( '...', shell = True ), tried with shell = false and did not work, the call of this method in the program is performed with argument of type string and not list, but in this case I tested with a list of arguments also.
From what I know about import, scope of symbols and performance this would be the best way to import since I will only be using this function, I’m sure ?
Reading this excerpt from the documentation :
If Passing a single string, either shell must be True (see Below) or Else the string must Simply name the program to be executed without specifying any Arguments.
I realized that even the use being insecure, the implementation is correct, but reading a little more only generated me more doubts, 'If the shell is True, the specified command will be executed through the shell ', and if it is not equal to true ... where he will be executed ?
Ps : 'If args is a string, the interpretation is platform dependent and described below. ' ( This is about the Popen, the same goes for call ? )
Is there any way to leave the use of the method call with argument of the kind string sure ? ( Or I’ll have to use Popen which I believe is basically the same thing only with more arguments - I’m asking partly out of curiosity )
Have you tried plumbum? See if it makes sense in that reply.
– Sidon
Opá, I’ll test here, I didn’t know him - vlw by the tip.
– user48471